fix security #214666; remove old versions

(Portage version: 2.1.4.4)

5 files changed, 231 insertions, 93 deletions

diff --git a/www-apps/roundup/ChangeLog b/www-apps/roundup/ChangeLog
index 310aaa2cc7a8..87ff248fecee 100644
--- a/www-apps/roundup/ChangeLog
+++ b/www-apps/roundup/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for www-apps/roundup
 # Copyright 2002-2008 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/roundup/ChangeLog,v 1.18 2008/03/09 10:10:57 pva Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apps/roundup/ChangeLog,v 1.19 2008/04/03 10:42:55 hollow Exp $
+
+*roundup-1.4.4-r1 (03 Apr 2008)
+
+  03 Apr 2008; Benedikt Böhm <hollow@gentoo.org>
+  +files/roundup-1.4.4-CVE-2008-1475.patch, -roundup-0.7.6.ebuild,
+  -roundup-0.8.5.ebuild, -roundup-1.4.1.ebuild, +roundup-1.4.4-r1.ebuild:
+  fix security #214666; remove old versions
 
   09 Mar 2008; Peter Volkov <pva@gentoo.org> roundup-1.4.4.ebuild:
   amd64 stable, security bug #212488.
diff --git a/www-apps/roundup/files/roundup-1.4.4-CVE-2008-1475.patch b/www-apps/roundup/files/roundup-1.4.4-CVE-2008-1475.patch
new file mode 100644
index 000000000000..8cf9c2ae0f39
--- /dev/null
+++ b/www-apps/roundup/files/roundup-1.4.4-CVE-2008-1475.patch
@@ -0,0 +1,215 @@
+Index: roundup/xmlrpc.py
+===================================================================
+RCS file: /cvsroot/roundup/roundup/roundup/xmlrpc.py,v
+retrieving revision 1.5
+diff -u -r1.5 xmlrpc.py
+--- roundup/xmlrpc.py	3 Nov 2007 00:50:37 -0000	1.5
++++ roundup/xmlrpc.py	4 Mar 2008 18:13:49 -0000
+@@ -63,13 +63,10 @@
+     def close(self):
+         """Close the database, after committing any changes, if needed."""
+ 
+-        if getattr(self, 'db'):
+-            try:
+-                if self.db.transactions:
+-                    self.db.commit()
+-            finally:
+-                self.db.close()
+-
++        try:
++            self.db.commit()
++        finally:
++            self.db.close()
+ 
+     def get_class(self, classname):
+         """Return the class for the given classname."""
+@@ -115,51 +112,52 @@
+ 
+     def list(self, username, password, classname, propname=None):
+         r = RoundupRequest(self.tracker, username, password)
+-        cl = r.get_class(classname)
+-        if not propname:
+-            propname = cl.labelprop()
+-        def has_perm(itemid):
+-            return True
+-            r.db.security.hasPermission('View', r.userid, classname,
+-                itemid=itemid, property=propname)
+-        result = [cl.get(id, propname) for id in cl.list()
+-            if has_perm(id)]
+-        r.close()
++        try:
++            cl = r.get_class(classname)
++            if not propname:
++                propname = cl.labelprop()
++            result = [  cl.get(itemid, propname) for itemid in cl.list()
++                     if r.db.security.hasPermission \
++                        ('View', r.userid, classname, propname, itemid)
++                     ]
++        finally:
++            r.close()
+         return result
+ 
+     def display(self, username, password, designator, *properties):
+         r = RoundupRequest(self.tracker, username, password)
+-        classname, itemid = hyperdb.splitDesignator(designator)
+-
+-        if not r.db.security.hasPermission('View', r.userid, classname,
+-                itemid=itemid):
+-            raise Unauthorised('Permission to view %s denied'%designator)
+-
+-        cl = r.get_class(classname)
+-        props = properties and list(properties) or cl.properties.keys()
+-        props.sort()
+-        result = [(property, cl.get(itemid, property)) for property in props]
+-        r.close()
++        try:
++            classname, itemid = hyperdb.splitDesignator(designator)
++            cl    = r.get_class(classname)
++            props = properties and list(properties) or cl.properties.keys()
++            props.sort()
++            for p in props:
++                if not r.db.security.hasPermission \
++                    ('View', r.userid, classname, p, itemid):
++                    raise Unauthorised \
++                        ('Permission to view %s of %s denied' % (p, designator))
++            result = [(prop, cl.get(itemid, prop)) for prop in props]
++        finally:
++            r.close()
+         return dict(result)
+ 
+     def create(self, username, password, classname, *args):
+         r = RoundupRequest(self.tracker, username, password)
++        try:
++            if not r.db.security.hasPermission('Create', r.userid, classname):
++                raise Unauthorised('Permission to create %s denied'%classname)
+ 
+-        if not r.db.security.hasPermission('Create', r.userid, classname):
+-            raise Unauthorised('Permission to create %s denied'%classname)
+-
+-        cl = r.get_class(classname)
++            cl = r.get_class(classname)
+ 
+-        # convert types
+-        props = r.props_from_args(cl, args)
++            # convert types
++            props = r.props_from_args(cl, args)
+ 
+-        # check for the key property
+-        key = cl.getkey()
+-        if key and not props.has_key(key):
+-            raise UsageError, 'you must provide the "%s" property.'%key
++            # check for the key property
++            key = cl.getkey()
++            if key and not props.has_key(key):
++                raise UsageError, 'you must provide the "%s" property.'%key
+ 
+-        # do the actual create
+-        try:
++            # do the actual create
+             try:
+                 result = cl.create(**props)
+             except (TypeError, IndexError, ValueError), message:
+@@ -170,19 +168,17 @@
+ 
+     def set(self, username, password, designator, *args):
+         r = RoundupRequest(self.tracker, username, password)
+-        classname, itemid = hyperdb.splitDesignator(designator)
+-
+-        if not r.db.security.hasPermission('Edit', r.userid, classname,
+-                itemid=itemid):
+-            raise Unauthorised('Permission to edit %s denied'%designator)
+-
+-        cl = r.get_class(classname)
+-
+-        # convert types
+-        props = r.props_from_args(cl, args)
+         try:
++            classname, itemid = hyperdb.splitDesignator(designator)
++            cl                = r.get_class(classname)
++            props             = r.props_from_args(cl, args) # convert types
++            for p in props.iterkeys ():
++                if not r.db.security.hasPermission \
++                    ('Edit', r.userid, classname, p, itemid):
++                    raise Unauthorised\
++                        ('Permission to edit %s of %s denied'%(p, designator))
+             try:
+-                cl.set(itemid, **props)
++                return cl.set(itemid, **props)
+             except (TypeError, IndexError, ValueError), message:
+                 raise UsageError, message
+         finally:
+Index: test/db_test_base.py
+===================================================================
+RCS file: /cvsroot/roundup/roundup/test/db_test_base.py,v
+retrieving revision 1.96
+diff -u -r1.96 db_test_base.py
+--- test/db_test_base.py	7 Feb 2008 03:28:34 -0000	1.96
++++ test/db_test_base.py	4 Mar 2008 18:13:50 -0000
+@@ -62,6 +62,7 @@
+     tracker = instance.open(dirname)
+     if tracker.exists():
+         tracker.nuke()
++        init.write_select_db(dirname, backend)
+     tracker.init(password.Password('sekrit'))
+     return tracker
+ 
+@@ -293,7 +294,7 @@
+             l = [u1,u2]; l.sort()
+             m = self.db.issue.get(nid, "nosy"); m.sort()
+             self.assertEqual(l, m)
+-       
++
+ 
+ # XXX one day, maybe...
+ #    def testMultilinkOrdering(self):
+Index: test/test_xmlrpc.py
+===================================================================
+RCS file: /cvsroot/roundup/roundup/test/test_xmlrpc.py,v
+retrieving revision 1.4
+diff -u -r1.4 test_xmlrpc.py
+--- test/test_xmlrpc.py	3 Nov 2007 00:50:38 -0000	1.4
++++ test/test_xmlrpc.py	4 Mar 2008 18:13:50 -0000
+@@ -9,23 +9,26 @@
+ from roundup.cgi.exceptions import *
+ from roundup import init, instance, password, hyperdb, date
+ from roundup.xmlrpc import RoundupServer
++from roundup.backends import list_backends
+ 
+ import db_test_base
+ 
+ NEEDS_INSTANCE = 1
+ 
+ class TestCase(unittest.TestCase):
++
++    backend = None
++
+     def setUp(self):
+         self.dirname = '_test_xmlrpc'
+         # set up and open a tracker
+-        self.instance = db_test_base.setupTracker(self.dirname)
++        self.instance = db_test_base.setupTracker(self.dirname, self.backend)
+ 
+         # open the database
+         self.db = self.instance.open('admin')
+         self.joeid = 'user' + self.db.user.create(username='joe',
+             password=password.Password('random'), address='random@home.org',
+             realname='Joe Random', roles='User')
+-
+         self.db.commit()
+         self.db.close()
+ 
+@@ -89,10 +92,12 @@
+ 
+ def test_suite():
+     suite = unittest.TestSuite()
+-    suite.addTest(unittest.makeSuite(TestCase))
++    for l in list_backends() :
++        dct    = dict(backend = l)
++        subcls = type(TestCase)('TestCase_%s' % l, (TestCase,), dct)
++        suite.addTest(unittest.makeSuite(subcls))
+     return suite
+ 
+ if __name__ == '__main__':
+     runner = unittest.TextTestRunner()
+     unittest.main(testRunner=runner)
+-
diff --git a/www-apps/roundup/roundup-0.7.6.ebuild b/www-apps/roundup/roundup-0.7.6.ebuild
deleted file mode 100644
index 91c206817dc6..000000000000
--- a/www-apps/roundup/roundup-0.7.6.ebuild
+++ /dev/null
@@ -1,41 +0,0 @@
-# Copyright 1999-2004 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/roundup/roundup-0.7.6.ebuild,v 1.3 2004/09/05 09:01:37 swegener Exp $
-
-inherit eutils
-
-DESCRIPTION="Simple-to-use and -install issue-tracking system with command-line, web, and e-mail interfaces."
-SRC_URI="mirror://sourceforge/roundup/${P}.tar.gz"
-HOMEPAGE="http://roundup.sourceforge.net"
-KEYWORDS="x86 sparc ~amd64 ppc"
-LICENSE="as-is"
-SLOT="0"
-IUSE=""
-
-DEPEND=">=dev-lang/python-2.2
-	>=sys-libs/db-3.2.9"
-
-src_compile() {
-	python setup.py build || die
-}
-
-src_install() {
-	python setup.py install --root=${D} --prefix=/usr || die
-	dodoc CHANGES.txt PKG-INFO README.txt doc/*.txt
-	dohtml doc/*.html
-	dobin ${FILESDIR}/roundup
-}
-
-pkg_postinst() {
-	einfo
-	ewarn "As a non privileged user! (not root)"
-	einfo "Run 'roundup-admin install' to set up a roundup instance"
-	einfo "Then edit your config.py file in the tracker home you setup"
-	einfo "Run 'roundup-admin initialise' to setup the admin pass"
-	einfo "run /usr/bin/roundup start port host [your tracker home] and all should work!"
-	einfo "run /usr/bin/roundup stop [your tracker home] to stop the server"
-	einfo "log is in [tracker home]/roundup.log"
-	einfo "pid file is in [tracker home]/roundup.pid"
-	einfo
-	einfo "See upgrading.txt for upgrading instructions."
-}
diff --git a/www-apps/roundup/roundup-0.8.5.ebuild b/www-apps/roundup/roundup-0.8.5.ebuild
deleted file mode 100644
index 5c90102e2bdf..000000000000
--- a/www-apps/roundup/roundup-0.8.5.ebuild
+++ /dev/null
@@ -1,42 +0,0 @@
-# Copyright 1999-2006 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/roundup/roundup-0.8.5.ebuild,v 1.3 2006/11/25 03:05:37 beandog Exp $
-
-inherit eutils
-
-DESCRIPTION="Simple-to-use and -install issue-tracking system with command-line, web, and e-mail interfaces."
-SRC_URI="mirror://sourceforge/roundup/${P}.tar.gz"
-HOMEPAGE="http://roundup.sourceforge.net"
-KEYWORDS="~x86 ~sparc ~amd64 ~ppc"
-LICENSE="as-is"
-SLOT="0"
-IUSE=""
-
-DEPEND=">=dev-lang/python-2.3
-	>=sys-libs/db-3.2.9"
-
-src_compile() {
-	python setup.py build || die
-}
-
-src_install() {
-	python setup.py install --root="${D}" --prefix=/usr || die
-	dodoc CHANGES.txt PKG-INFO README.txt doc/*.txt
-	dohtml doc/*.html
-	dobin "${FILESDIR}"/roundup
-}
-
-pkg_postinst() {
-	einfo
-	ewarn "As a non privileged user! (not root)"
-	einfo "Run 'roundup-admin install' to set up a roundup instance"
-	einfo "Then edit your config.py file in the tracker home you setup"
-	einfo "Run 'roundup-admin initialise' to setup the admin pass"
-	einfo "run /usr/bin/roundup start port host \"your tracker name\" [your \
-tracker home], and all should work!"
-	einfo "run /usr/bin/roundup stop [your tracker home] to stop the server"
-	einfo "log is in [tracker home]/roundup.log"
-	einfo "pid file is in [tracker home]/roundup.pid"
-	einfo
-	einfo "See upgrading.txt for upgrading instructions."
-}
diff --git a/www-apps/roundup/roundup-1.4.1.ebuild b/www-apps/roundup/roundup-1.4.4-r1.ebuild
index 380a0d0f0395..4bca5eaf9961 100644
--- a/www-apps/roundup/roundup-1.4.1.ebuild
+++ b/www-apps/roundup/roundup-1.4.4-r1.ebuild
@@ -1,13 +1,14 @@
 # Copyright 1999-2008 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/www-apps/roundup/roundup-1.4.1.ebuild,v 1.1 2008/01/25 08:49:03 wrobel Exp $
+# $Header: /var/cvsroot/gentoo-x86/www-apps/roundup/roundup-1.4.4-r1.ebuild,v 1.1 2008/04/03 10:42:55 hollow Exp $
 
-inherit eutils
+inherit eutils distutils
 
 DESCRIPTION="Simple-to-use and -install issue-tracking system with command-line, web, and e-mail interfaces."
 SRC_URI="http://cheeseshop.python.org/packages/source/r/${PN}/${P}.tar.gz"
 HOMEPAGE="http://roundup.sourceforge.net"
-KEYWORDS="~x86 ~sparc ~amd64 ~ppc"
+
+KEYWORDS="~amd64 ~ppc ~sparc ~x86"
 LICENSE="as-is"
 SLOT="0"
 IUSE=""
@@ -19,17 +20,15 @@ src_unpack() {
 	unpack ${A}
 	cd "${S}"
 
+	epatch "${FILESDIR}"/${P}-CVE-2008-1475.patch
+
 	# We need to fix the location for man pages (#204308)
 	sed -i -e 's#man/man1#share/man/man1#' setup.py
 }
 
-src_compile() {
-	python setup.py build || die
-}
-
 src_install() {
-	python setup.py install --root="${D}" --prefix=/usr || die
-	dodoc CHANGES.txt PKG-INFO README.txt doc/*.txt
+	distutils_src_install
+	dodoc CHANGES.txt doc/*.txt
 	dohtml doc/*.html
 	dobin "${FILESDIR}"/roundup
 }